Gralhix OSINT Exercise #006

When Images and Words Clash

On January 19, 2023, a journalist with a large Twitter/X following shared an image. It showed a destroyed vehicle engulfed in smoke and flames. The tweet read:

“BREAKING: TTP carried out a suicide attack on a police post in Khyber city of Pakistan that killed three Pakistani police officers.”

But here’s the twist: per Gralhix, the photo doesn’t match the event described. Our task is to back this claim up. Let’s get to work.

Analyzing the Image

The Scene

The image shows a road littered with debris, leading to a burning vehicle. A partially damaged wall stands nearby, featuring a distinctive cross or plus sign (+). Metal fragments scatter the foreground, hinting at a powerful explosion.

Annotation noting the cross or + feature on the damaged building

What’s Missing

Dense smoke obscures much of the background, limiting our visibility. There are no visible map markings or identifying landmarks.

Red Flags and OSINT Techniques

1. Image Quality: The graininess and color saturation suggest an older photo, contradicting the 2023 posting date.
2. Architectural Details: The wall’s style and the ‘+’ feature could help pinpoint the location.
3. Vehicle Analysis: Even heavily damaged, the vehicle’s remains might offer clues about its make and model.
4. Environmental Clues: The ground’s appearance could hint at the climate and geography.
5. Reverse Image Search: This tool is crucial for tracing the image’s origin.

Unraveling the Mystery

An exact match reverse image search with Google revealed surprising results:

Same Image, Multiple hits, Green highlights are a 2006 attack in Iraq, Red occurs later in other locations

The Wikimedia link is especially interesting as it is a collection of freely usable images with accompanying details of the image’s origin:

Confirming the Truth: A Multi-Source Analysis

But how do we know that Wikimedia Common’s notes are accurate? Unfortunately, the source links are no longer good.

Our search delivered two key pieces of evidence that allowed 1) a side-by-side comparison of the original image with an official US government photo and 2) further confirmation from a stock image listing. Let’s break down how these findings solidify our case:

1. Side-by-Side Comparison — by googling the information in Wikimedia’s image description, we can find a report from the US Department regarding the 27 August incident in Iraq. This report allowed a comparison of our target image with another photo, purportedly from the same incident but from a different angle.

Annotated exercise image on the left, US Department of Defense Image annotated on the right

This comparison revealed:

• Architectural Consistency: Both images show a building with a distinctive cross or plus-shaped (+) external feature, strongly suggesting the same location.
• Similar Debris Field: Scattered rubble and a light-colored, dusty ground surface are consistent across both images.
• Vehicle Damage: While shown from different angles, both photos depict severely damaged vehicles consistent with a powerful explosion.
• Environmental Factors: Heavy smoke and dust clouds are present in both scenes, indicating different stages of the same recent event.
• Response Timeline: The progression from active fires to emergency response fits logically within a single incident.

2. Stock Photo Confirmation A search on Alamy, a reputable stock photo site, uncovered a high-quality version of our original image. The listing provided reinforced key details:

• Origin Confirmation: Alamy’s description corroborates Wikimedia Commons, stating the image is from Iraq in 2006.
• Public Domain Status: The image is listed as public domain, consistent with its age and likely official source.

The evidence forms a compelling case

1. The side-by-side comparison strongly suggests both images depict the same 2006 Iraq incident, matching an official Defense.gov photo.
2. Alamy’s stock photo listing independently confirms the 2006 Iraq origin.
3. This aligns with our earlier Wikimedia Commons findings.

We can now state with almost certainty that the image in the tweet is misattributed. It originates from a 2006 incident in Iraq, not a 2023 event in Pakistan as suggested in the tweet.

Conclusion: Beyond Image Verification

Having established the true origin of the image as Iraq in 2006, not Pakistan in 2023, we might be tempted to cry “disinformation.” However, this case study reveals the importance of nuanced analysis in OSINT investigations.

1. Resist Hasty Judgments:

• Our initial impulse to label this as disinformation highlights the need for caution in OSINT work.
• Personal biases, whether from past experiences or preconceptions about sources, can cloud judgment.

2. Context is Crucial:

• Determining disinformation requires more than just identifying a misattributed image.
• We must consider broader patterns, intent, and the evolving nature of social media journalism.

3. The Evolution of Visual Shorthand:

• Our reverse image search revealed this picture’s widespread use across various incidents.
• It has become a type of visual shorthand for car bombings in the Middle East and Africa. Example 1, Example 2, Example 3, Example 4
• This usage, while problematic, differs from deliberate disinformation campaigns.

4. Journalistic Standards in the Digital Age:

• The incident raises questions about journalistic ethics on platforms like X/Twitter, Mastodon, BlueSky and others.
• Do the same standards apply across all media and regions? This is an ongoing debate in the field.

5. Sticking to the Task (one that I need to keep reminding myself of):

• Our exercise asked us to verify the image, not to judge the tweet’s intent.
• This underscores the importance of adhering to given parameters in OSINT work.

Lessons Learned:

1. Always verify images independently of accompanying text.
2. Use multiple search engines and techniques to cross-reference information.
3. Be aware of personal biases and resist jumping to conclusions.
4. Consider the broader context and evolving media landscape when analyzing social media posts.
5. Stick to the parameters of your investigation, avoiding scope creep.

This exercise reminds us that OSINT is a powerful tool that requires careful, ethical application. As investigators, our role is to uncover and present facts objectively, leaving broader judgments about disinformation to be made only with comprehensive evidence and context.

Stay tuned for my next write-up, and if you’re interested in working on your OSINT skills check out Gralhix’s exercise page!